CVE-2025-48594

Description

In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

Android Framework < 2025-12-01安全补丁版本

受影响代码分支: ea2bcc66534263fac4c337f1a5149704c2262169

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-48594 PoC - Android DisassociationProcessor Permission Retention
// This PoC demonstrates the improper input validation in onUidImportance method

// Note: This is a conceptual PoC based on the vulnerability description
// Actual exploitation requires specific Android environment and user interaction

public class DisassociationExploit {
    
    // Simulated vulnerable method signature
    public void onUidImportance(int uid, int importance) {
        // Vulnerable code - improper input validation
        // The method does not properly validate the state transition
        // when a companion app is being disassociated
        
        // Attacker can manipulate the importance value to retain privileges
        if (importance == IMPORTANCE_ORPHANED) {
            // Bug: Should clear companion app privileges here
            // But due to improper validation, privileges are retained
            processUidImportance(uid, importance);
        }
    }
    
    // Normal flow - should revoke privileges on disassociation
    public void onDisassociation(int uid) {
        // This should clear all special permissions
        // But vulnerable implementation allows privilege retention
        revokeCompanionPrivileges(uid);
    }
    
    // Exploitation scenario:
    // 1. Install malicious companion app
    // 2. Establish device association to gain special permissions
    // 3. Trigger disassociation
    // 4. Exploit onUidImportance validation flaw to retain permissions
    // 5. Execute privileged operations without proper authorization
}

// Reference: https://android.googlesource.com/platform/frameworks/base/+/ea2bcc66534263fac4c337f1a5149704c2262169

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-48594
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-48594
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-48594/
[4] VulDB https://vuldb.com/cve/CVE-2025-48594
[5] https://android.googlesource.com/platform/frameworks/base/+/ea2bcc66534263fac4c337f1a5149704c2262169
[6] https://source.android.com/security/bulletin/2025-12-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-48594", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:16.523", "lastModified": "2025-12-11T15:15:47.783", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/ea2bcc66534263fac4c337f1a5149704c2262169", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}